{ "name": "Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components", "slug": "defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components", "description": "CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. Exploitation has been detected since December 5, 2025, primarily in red team assessments but also in real-world attacks delivering coin miners. The vulnerability stems from a failure to validate incoming payloads in React Server Components, enabling attackers to inject malicious structures leading to prototype pollution and remote code execution. Post-exploitation activities include running reverse shells, achieving persistence, evading security defenses, and attempting lateral movement to cloud resources.", "published": "2025-12-15T20:41:54+00:00", "created_at": "2025-12-15T20:41:54+00:00", "modified_at": "2025-12-21T18:05:24+00:00", "created_at_opencti": "2025-12-15T20:41:54+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-12-15", "CVE-2025-55182", "etherrat", "react2shell", "remote code execution", "snowlight", "vshell", "vulnerability" ], "related_entities": { "observables": [ { "id": "", "name": "46.36.37.85" }, { "id": "", "name": "92.246.87.48" }, { "id": "", "name": "194.69.203.32" }, { "id": "", "name": "http://194.69.203.32:81/hiddenbink/colonna.arc" }, { "id": "", "name": "http://194.69.203.32:81/hiddenbink/react.sh" }, { "id": "", "name": "https://overcome-pmc-conferencing-books.trycloudflare.com/p.png" }, { "id": "", "name": "http://krebsec.anondns.net:2316/dong" }, { "id": "", "name": "http://xpertclient.net:3000/sex.sh" }, { "id": "", "name": "http://donaldjtrmp.anondns.net:1488/labubu" }, { "id": "", "name": "http://anywherehost.site/xms/kill2.sh" }, { "id": "", "name": "https://ghostbin.axel.org/paste/evwgo/raw" }, { "id": "", "name": "http://196.251.100.191/no_killer/Exodus.x86" }, { "id": "", "name": "http://194.69.203.32:81/hiddenbink/colonna.i686" }, { "id": "", "name": "http://superminecraft.net.br:3000/sex.sh" }, { "id": "", "name": "http://196.251.100.191/no_killer/Exodus.arm4" }, { "id": "", "name": "http://196.251.100.191/no_killer/Exodus.x86_64" }, { "id": "", "name": "http://labubu.anondns.net:1488/dong" }, { "id": "", "name": "http://anywherehost.site/xms/k1.sh" }, { "id": "", "name": "69f2789a539fc2867570f3bbb71102373a94c7153239599478af84b9c81f2a03" }, { "id": "", "name": "f0d3d5668a4df347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf" }, { "id": "", "name": "0aad73947fb1876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a" }, { "id": "", "name": "7909046e5e0fd60461b721c0ef7cfe5899f76672e4970d629bb51bb904a05398" }, { "id": "", "name": "b33d468641a0d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8" }, { "id": "", "name": "59630d8f3b4db5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc8700" }, { "id": "", "name": "717c849a1331b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d2" }, { "id": "", "name": "c2867570f3bbb71102373a94c7153239599478af84b9c81f2a0368de36f14a7c" }, { "id": "", "name": "d71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b59630d8f3b4d" }, { "id": "", "name": "7e0a0c48ee0f65c72a252335f6dcd435dbd448fc0414b295f635372e1c5a9171" }, { "id": "", "name": "c6c7e7dd85c0578dd7cb24b012a665a9d5210cce8ff735635a45605c3af1f6ad" }, { "id": "", "name": "244bf271d2e55cd737980322de37c2c2792154b4cf4e4893e9908c2819026e5f" }, { "id": "", "name": "9dde35ba8e132ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083" }, { "id": "", "name": "9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df717c849a1331" }, { "id": "", "name": "82335954bec84cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0d" }, { "id": "", "name": "f347eb0a59df167acddb245f022a518a6d15e37614af0bbc2adf317e10c4068b" }, { "id": "", "name": "661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e0aad73947fb1" }, { "id": "", "name": "d60461b721c0ef7cfe5899f76672e4970d629bb51bb904a053987e0a0c48ee0f" }, { "id": "", "name": "317e10c4068b661d3721adaa35a30728739defddbc72b841c3d06aca0abd4d5e" }, { "id": "", "name": "f0b66629fe8ad71779df5e4126c389e7702f975049bd17cb597ebcf03c6b110b" }, { "id": "", "name": "4cbdd019cfa474f20f4274310a1477e03e34af7c62d15096fe0df0d3d5668a4d" }, { "id": "", "name": "68de36f14a7c9e9514533a347d7c6bc830369c7528e07af5c93e0bf7c1cd86df" }, { "id": "", "name": "b5acbcaccc0cfa54500f2bbb0745d4b5c50d903636f120fc870082335954bec8" }, { "id": "", "name": "b568582240509227ff7e79b6dc73c933dcc3fae674e9244441066928b1ea0560" }, { "id": "", "name": "f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b8e07beb854f7" }, { "id": "", "name": "876923709213333099b8c728dde9f5d86acfd0f3702a963bae6a9dde35ba8e13" }, { "id": "", "name": "7e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f244bf271d2e5" }, { "id": "", "name": "d3c897e571426804c65daae3ed939eab4126c3aa3fa8531de5e8f0b66629fe8a" }, { "id": "", "name": "240afa3a6457f1ee866f6f03ff815009ff8fd7b70b902bc59b037ac54b6cae9b" }, { "id": "", "name": "8e07beb854f77e90c174829bd4e01e86779d596710ad161dbc0e02a219d6227f" }, { "id": "", "name": "2ebed29e70f57da0c4f36a9401a7bbd36e6ddd257e0920aa4083240afa3a6457" }, { "id": "", "name": "b63860cefa128a4aa5d476f300ac45fd5d3c56b2746f7e72a0d27909046e5e0f" } ], "malware": [ { "id": "226e045b-92c4-4d99-b2b4-ff0c4a87902a", "name": "SNOWLIGHT", "slug": "snowlight" }, { "id": "legacy:malware:92b828cd8ebb8640", "name": "ShadowPad - S0596", "slug": "shadowpad-s0596" }, { "id": "legacy:malware:8751734eb3ace7ff", "name": "POISONPLUG.SHADOW", "slug": "poisonplugshadow" }, { "id": "legacy:malware:5f3b76a45f86aba0", "name": "EtherRAT", "slug": "etherrat" }, { "id": "legacy:malware:f5ad0dfc2e127b74", "name": "VShell", "slug": "vshell" }, { "id": "legacy:malware:83adebc6ef4eb478", "name": "XMRig", "slug": "xmrig" } ], "attack_patterns": [ { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "6b5f1e68-aec7-4ea0-9777-62156da790a7", "name": "T1069" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "fcd96dc0-500e-4354-bd97-5c65718a9004", "name": "T1562" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "beaa4978-0309-438b-a45e-ec566b643811", "name": "T1505.003" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6", "name": "T1087" }, { "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b", "name": "T1033" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "3245033a-53c4-454c-873a-fb653af0bf8a", "name": "T1552" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "715f45b8-df47-4a38-a293-aec2019031d1", "name": "T1580" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2021-27065" }, { "id": "", "name": "CVE-2025-55182" }, { "id": "", "name": "CVE-2021-26858" }, { "id": "", "name": "CVE-2021-26855" }, { "id": "", "name": "CVE-2021-26857" }, { "id": "", "name": "CVE-2025-66478" } ], "others": [ { "id": "", "name": "superminecraft.net.br" }, { "id": "", "name": "anywherehost.site" }, { "id": "", "name": "labubu.anondns.net" }, { "id": "", "name": "overcome-pmc-conferencing-books.trycloudflare.com" }, { "id": "", "name": "xpertclient.net" }, { "id": "", "name": "ghostbin.axel.org" }, { "id": "", "name": "vps-zap812595-1.zap-srv.com" }, { "id": "", "name": "donaldjtrmp.anondns.net" }, { "id": "", "name": "krebsec.anondns.net" } ] }, "external_refs": [ "https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components", "https://otx.alienvault.com/pulse/694080a2ef82d51f2b376868" ] }